HTTP-Authentification

[boergegrunicke]

it would be good to enable optional http authentification for the update-server

[edvin]

Do you mean basic authentication?

[boergegrunicke]

yes

[edvin]

I'm unsure of how we would distribute the credentials in a safe way. Putting it inside the manifest would be unsafe I think.

[boergegrunicke]

i think that's true ... maybe you could type the credentials into a extra file and while creating the manifest the CreateManifest generates a Hash of the password and stores only the hash inside the maniest?

[edvin]

If it stores only the hash we can't possible re-create the credentials from the hash when it's time to make the http request with the credentials :)

[boergegrunicke]

wouldnt it be enough to transmit only the hash?
if you store the credentials on server side in a database you would also only store the hash in the database, couldnt you use the same princip here?

[edvin]

The client needs to send username/password crendentials which can be matched against the hash. You can't just send the hash. If you send the hash, that is basically the password, so that makes no sense. Either way, storing the credentials that give you access to the resource in the manifest would be unsafe.

What about this: If the remote update server requires authentication, we prompt the user for it?

[boergegrunicke]

of course this would be a good idea, but i would also think the option to store them inside the manifest, of course this is not secure but on systems that do not really need security but have http-basic-authentication enabled it would be posible to make a user that has only acces to the update files. maybe switching between variants or none would be good

[edvin]

In that case you can just add basic auth parameters to the url like this:

https://username:password@hostname/path

This can be easily extracted via the URL.getUserInfo(), so that if there are credentials supplied in the url I can split with : and base64 encoded and put the result in a basic auth header. Sounds good?

[boergegrunicke]

sounds good, but did not work for me, i already tried this yesterday. our application-server explicitly wants the credentials inside the http-header, not in the url ....

[edvin]

Of course, but if you're fine with that approach, I'll make sure FXLauncher adds the header :) Should we try this?

[boergegrunicke]

sounds good! :-)

[edvin]

Great, I just committed support for basic auth credentials in the urlinfo part of the manifest url. Let me know how it turns out!

[boergegrunicke]

currently i do not know why but it does not work. i tried it in my webrowser and this worked only when i did not enter "http://" i tried it in te manifest-file with http:// and without http:// i also tried including the port but it does not update.

[edvin]

I'm not sure what you mean. Do basic auth only work in your browser when you don't add http://?

Can you try to start it via java -jar fxlaunchar.jar from the command line and send me the output? I'm sure there is a strack trace there.

[edvin]

I have confirmed that this is working now - you can include credentials in the url like: http://user:password@host/path.

[matheso]

Hi Edvin,

I've spent the past 12 hours reading your content and all the different questions, but I'm still struggling to deploy the files to my web server. I'll try to be succinct of the problem. The pom file is at the bottom.

1. The command mvn package properly creates the 3 jars and 1 .xml within target/app as shown in your screencast.
2. The command mvn exec:exec@deploy-app causes a BUILD ERROR, but mvn exec:java@deploy-app works causes BUILD SUCCESS, perhaps because I use Windows OS. I also noticed that I will get a BUILD ERROR if I keep the pom.xml file's mainClass <configuration> code within the <executions> tags. If I move the <configuration> code beneath the <executions> tags, it returns a BUILD SUCCESS, like so:

                <executions>
.....
.........
..............
<!-- Copy application artifacts to remote site using scp (optional) -->
                    <execution>
                        <id>deploy-app</id>
                        <goals>
                            <goal>exec</goal>
                        </goals>
                        <configuration>
                            <executable>scp</executable>
                            <arguments>
                                <argument>-r</argument>
                                <argument>${app.dir}/.</argument>
                                <argument>${app.deploy.target}</argument>
                            </arguments>
                        </configuration>
                    </execution>
                </executions>
<!-- Notice how configuration code for mainClass is outside executions code? -->
                <configuration>
                    <mainClass>fxlauncher.CreateManifest</mainClass>
                    <arguments>
                        <argument>${app.url}</argument>
                        <argument>${app.mainClass}</argument>
                        <argument>${app.dir}</argument>
                        <argument>--cache-dir=${app.cacheDir}</argument>
                        <argument>--accept-downgrade=${app.acceptDowngrade}</argument>
                        <argument>${app.parameters}</argument>
                    </arguments>
                </configuration>
            </plugin>

However, despite receiving a BUILD SUCCESS message with the mvn exec:java@deploy-app command, I don't see the 4 files being updated to my server.

Obervation: From 1.08 to 1.12 in your screencast it shows you uploading the files to demo.example. I don't understand how to replicate this process with my actual settings. Since I want to eventually deploy updates to paying clients, I need FXLauncher to provide a secure connection method to the hosted artifacts.

You mention using http://user:password@host/path ... which I assume means the pom.xml file should be updated on this line, like so:
<app.url>http://admin:[email protected]/artifacts/</app.url>

I tried the following different combinations, editing the pom.xml each time, then running mvn package and then mvn exec:java@deploy-app . None have uploaded the files to my web server. FTPuser and FTPpass below obviously represent my actual FTP details, and I've also tried using my login credentials for my hosting service provider (NameCheap.com).

<app.url>http://FTPuser:[email protected]/artifacts/</app.url>

<app.url>https://FTPuser:[email protected]/artifacts/</app.url>
----------------^ notice the 's' added

<app.url>http://HOSTuser:[email protected]/artifacts/</app.url>

<app.url>https://HOSTuser:[email protected]/artifacts/</app.url>

Questions:

1. What am I doing wrong? I'm getting a BUILD SUCCESS when I deploy but no upload occurs.
2. How safe is this approach? If end-users can expose those credentials, I don't want to use this method. You proposed that if the remote update server requires authentication, you can prompt the user for it, but the end-user wouldn't/shouldn't know my credentials anyways, so I'm confused there.

Deploying with scp is available but it's unclear how credentials are transferred and the security of it.

I'm clearly confused about a number of issues, can you please help me out? Thanks so much!

pom.xml (pastebin link)

[edvin]

Hi,

The maven example uses scp to copy the files to your webserver using SSH. scp is not a part of a default Windows installation, so you would need to install this separately for the deploy step to work. You would also need to create an ssh key and copy the public key part into the .ssh/authorized_keys file on the server where you deploy to.

I suspect your problem is that you either do not have scp in your path, or that your server does not support SSH. If that's the case, you should probably change the scp step to use ftp instead. The correct command to use in your case depends on your ftp client, but try it on the command line first and then incorporate it into your build when you have it working.

Another alternative is simply to skip the deploy-app step and copy the resources in target\app to your webserver manually using an FTP client you are familiar with.

Do not confuse this with the user:pass part of the app url - this is used by the client to gain access to the app resources when it downloads them over HTTP. I do not recommend that really. I think it is a far better choice to build the licensing/authentication into your application. Let anyone install the app if they want, and control access to the app using credentials or a license key inside the app.

Down the line I'm going to create a Maven plugin for FXLauncher (like we have for Gradle). In there I could probably support built in transfer using SSH and/or FTP to make this a bit easier.

[matheso]

Very helpful reply, I should be fine from here on out. Thank you very much

[edvin]

Please let me know if you get stuck, we'll make sure you get this working :)

[matheso]

Hi Edvin,

I wanted to try my best before responding, but I can proudly say I got it working with my FTP server. I'm very impressed with what you've created. I have a few resulting questions that I'm hoping you can clarify, I didn't know whether to start a new "Issue" or not, since they're not really issues.

For reference, here is my pom.xml

Steps:

1. Using the commands mvn clean compile and then mvn package successfully creates target/app containing app.xml, fxlauncher.jar, and all the jar dependencies.
2. I then manually upload all of the contents of target/app into a sub-directory of the ftp url specified in my pom <url>ftp://example.com/</url> .
3. I then copy/paste fxlauncher.jar onto my desktop.
4. I then make changes to my application and repeat step Passing application parameters #2.
5. I then run java -jar C:\Users\ME\Desktop\fxlauncher.jar from command prompt and it successfully pulls down the updates and displays them.

Questions:

1. What is the point of having a "native installer" which is created via mvn exec:exec@installer if the fxlauncher.jar created via mvn package seems to do precisely that? I isolated the jar to my desktop yet it still retrieves updates, so couldn't I just ship this fxlauncher.jar to my users, what is the benefit of the installer's fxlauncher? Notice how I only did mvn package and not mvn exec:exec@installer, yet I got the intended results.
2. Third-party libraries licensed under LGPL require dynamically-linked libraries in order for my app to remain closed source. Doesn't the fxlauncher.jar contradict this requirement, since end users only have access to this single jar, and not the individual jars, dlls which are housed within?

I need to rely on FXLauncher in a commercial application, so have to fully understand what I'm doing. Thanks for your time Edvin.

Additional Notes:
I plan to use scp once development is complete, or perhaps I should use SFTP since I'm comfortable with FTP. Feel free to comment on this, the structure of my pom file, or anything else. :)

[edvin]

Glad to hear that you got it working!

1. If you just ship fxlauncher.jar, your users must have Java installed for it to work. Also, you will get no desktop integration (Start menu icon etc). People with Java installed will probably start your app from the downloads folder, and that's where the other libraries will end up as well, creating a mess. If you create a native installer, the app and the artifacts it downloads will be placed in a well defined place on the machine, and a start menu icon is available, with your icon and app name if you so choose. The difference in user experience is huge :)
2. Using FXLauncher will not change anything, it is only about packaging and access to the other libraries. The individual jars are not housed within, they are just downloaded separately.

Your pom looks perfect :)

[matheso]

Hi Edvin,

For the past 4 days I've struggled to migrate the pom away from using ftp over to sftp. The <properties> section that FXLauncher requires in pom.xml contains a <app.url> tag which previously contained <app.url>http://example.com/demo/</app.url> using ftp settings but do you know what it should be for sftp?

I'm using CoreFTP's free mini-server (localhost, port 22) to test how FXLauncher works with sftp, I have freeSSHd running, can access/transfer files through the client GUI and also by using this functional SSCCE but when I run fxlauncher.jar from terminal it gives me this error:

C:\Windows\System32>java -jar C:\Users\ME\Documents\ProjectA\target\app\fxlaun
cher.jar
Sep 17, 2016 4:41:27 PM fxlauncher.Launcher syncManifest
WARNING: Unable to update manifest
javax.xml.bind.DataBindingException: javax.xml.bind.UnmarshalException

• with linked exception:
  > [java.net.ConnectException: Connection refused: connect]
  at javax.xml.bind.JAXB.unmarshal(JAXB.java:189)
  at fxlauncher.Launcher.syncManifest(Launcher.java:230)
  at fxlauncher.Launcher.updateManifest(Launcher.java:128)
  at fxlauncher.Launcher.lambda$start$0(Launcher.java:60)
  at java.lang.Thread.run(Thread.java:745)

Right now I'm using <app.url>http://username@localhost</app.url> in properties, but also tried <app.url>http://username@localhost:22</app.url> and also using sftp://.... for both as well. Perhaps I should be sending the password too. This official Apache example shows SSH deployment using scpexe:// ... which leaves me asking...

Have you any ideas as to how we can use FXLauncher with SFTP (localhost or otherwise) referring to <distributionManagement>, <build>, and settings.xml information? I'm hopelessly lost, anything helps. Thank you!

[edvin]

You are mixing a couple of concepts here. First of all, app.url is only used for fxlauncher to find the manifest, so it is always an http:// url or https:// url. It has nothing to do with how you transfer the files to the webserver where you host them :)

Unless the manifest and resources are not protected by basic auth, the app url should not contain user:pass or :22 (port 22 is used for ssh, while your webserver probably runs on the default port 80).

In your pom, set app.deploy.target to the scp url and path to the server where you want to deploy/place the resources. This has nothing to do with http, it has just to do with transferring the files to that server.

For example, lets say your app is hosted at http://example.com/app, then that would be your app.url. The app.deploy.target will be the url scp needs to transfer those files so that they will be visible on that url. For example, if the files are located in /var/www/app, your scp url would be something like [email protected]/var/www/app. For this to work you would need to install your ssh public key into the .ssh/authorized_keys file in the home folder of user on that server. Alternatively you must supply your password to scp each time your deploy.

You should then be able to test the file upload manually by doing scp -r target/app/* [email protected]/var/www/app. If that works, it will work in the build file as well.

Based on your pom I would say you are nearly there, just put the scp url in the app.deploy.target slot :)

Hope this helps :)

[edvin]

Look at line 55 in your pom :) Put the scp/sftp url there. Sftp/scp urls are interchangeable. You can leave the sftpexe:// part out, just start the url with your username :) If this doesn't help I'll try to create a screencast to describe this better :)

[humpfle]

Basic auth is not working for me: i.e.<app.url>http://user:[email protected]/**ignoredpath**</app.url> show exception: FileNotFoundException: http://user:[email protected]/someJar.jar

The path is ignored... Any hints? Thanks

[edvin]

So you want it to access http://user:[email protected]/ignoredpath/someJar.jar and it tries to access http://user:[email protected]/someJar.jar is that correct?

[humpfle]

yes, this is correct

[edvin]

OK, thanks. I will have a look as soon as I can. Can you create a separat issue? This one is about the addition of basic auth, while your issue seems to be a bug. Better to track it in a separate issue.

[humpfle]

ok, here we go: #32

[edvin]

Thank you. I will get to it shortly.

[mkotsovoulou]

Hello everyone!
I am trying to deploy the app on my web server...
scp -r target/app/ user@hostname:/home/xyz/apache-tomcat-6.0.20/webapps/App*
Works well from command line... but asks for user password

My pom.xml

<app.url>http://user@hostname:/home/xyz/apache-tomcat-6.0.20/webapps/App</app.url>

<app.deploy.target>/home/xyz/apache-tomcat-6.0.20/webapps/App</app.deploy.target>

Result when I execute: mvn exec:exec@deploy-app
cp: /home/xyz/apache-tomcat-6.0.20/webapps/App: No such file or directory
but does not prompt for password...

Where should I store the password for the scp???

I tried also in pom.xml
<app.url>http://user:password@hostname:/home/xyz/apache-tomcat-6.0.20/webapps/App</app.url>
but again I got No such file or directory

Any directions?
Thank you,
Maira

[edvin]

The best way to deal with ssh credentials is by copying your public key (.ssh/id_dsa.pub or .ssh/id_rsa.pub) to .ssh/authorized_keys on the target server. Then you supply only the username in the app.deploy.target parameter:

<app.deploy.target>username@hostname:/home/xyz/apache-tomcat-6.0.20/webapps/App</app.deploy.target>

[mkotsovoulou]

FIXED: pom.xml
<app.url>http://hostname/home/xyz/apache-tomcat-6.0.20/webapps/App/</app.url>
<app.deploy.target>user@hostname:apache-tomcat-6.0.20/webapps/App/</app.deploy.target>

ΤΗΑΝΚΣ!!!

[edvin]

That sounds about right :) Great!

[mkotsovoulou]

But I have another small problem :-(
when I try to package the app:
mvn package
I get a java.io.FileNotFoundException: fxlauncher.jar (No such file or directory)
...while a few steps above it successfully creates the dependencies:
[INFO] Copying fxlauncher-1.0.16.jar to /Volumes/Data/IdeaProjects/myMavenApp/target/dependency/fxlauncher.jar

If I manually copy fxlauncher.jar to: /target/app/ then packaging works well...

Any ideas why packaging fails?

Best,
Mairako

[mkotsovoulou]

Thank you so much for spending time for us newbies!!!

…

Sent from my iPhone

On 27 May 2017, at 16:39, Edvin Syse ***@***.***> wrote: That sounds about right :) Great! — You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

[edvin]

My pleasure :)

[ravenp1992]

@edvin
Hello I am new to fxlauncher. I'm having a trouble on how not to embed the app.xml file. my goal is to change the URI where the update should be fetched. so the update still work even I change it. Tia.

this is the current pom.xml
I tried to add an argument inside embed-manifest-in-launcher like --uri=${app.url} and it returns an error.

[edvin]

You can simply change the url and redeploy your app to both the old and new location, then clients will retrieve the files from the new location after they have contacted the old location once.